Yeah. Not all the publishers do it, though. Valve is an "enabler" for the other publishers to screw Aussies, but they don't actually seem to do it themselves as far as I can tell - Portal 2 was only $50 AUD at launch, which wasn't unreasonable.
I choose not to buy any games that are use predatory pricing on Australians. I'm just not ever going to spend $90 on a game and refuse to support publishers who engage in that sort of behaviour.
Excellent. I'm sick of the exploitation of software pricing in Australia. Price ratios haven't shifted at all since the 90s when the AUD was worth 0.6 USD. Now 1 AUD > 1 USD.
FYI, I've heard that Steam's DRM layer is optional and is applied at the publisher's discretion (not Valve's). Games that don't have the DRM turned on can be launched by just running the executable; the Steam client doesn't need to be running. These games are quite rare but I believe some examples do exist. (Defcon, perhaps? Try Google for examples). Although you can still only download the the game using the client, insofar as Valve offers no direct download servers.
You might also try Desura or GOG. Neither of those use DRM. However, all three are for "merchantable" quality games, not tech demos or alphas. Steam does offer mods for Valve games but that's about its limit for amateur efforts.
The malware still has to install on the user's OS, which requires browser/plugin exploits on the user's PC for user-privilege level access and possibly a local escalation bug if the malware wants admin rights without user "approval". So I think it's fair to cast _some_ aspersion at Apple here, even if WordPress is providing the server end of the malware deployment ecosystem.
But getting back to your point about WordPress. It seems to me that WordPress has been the server-side vector for far too many malware deployment efforts. I've certainly heard its name associated with a lot of previous malware storms. What are some more secure alternatives to WordPress?
Given that the Red Cross has traditionally had an internationally-recognized and (usually) protected role in theatres of conflict (along with its Islamic counterpart, the Red Crescent) I can understand why that organization's markings are deserving of protection above and beyond that of mere trademarks.
But screw the Olympics. They can just use trademarks like any other part of the entertainment, media & advertising industrial complex.
Ironic that you say Apple will solve the resolution deadlock.
My personal computer is a laptop with a 15.6" 1080p display. It's beautifully sharp. I've been running Windows 7 at 125% DPI scaling for over a year on it, and hadn't yet encountered a program that had any significant issues with the higher DPI settings.
And then I bought a 2012 iPad, which has an amazing high DPI screen. But the reason why it's so incredibly high DPI is because iOS has the worst resolution independence in the computing industry. It is basically completely incapable of scaling elegantly, which is why there are basically only 4 display sizes in the iOS device lineup (original iPhone screen, iPhone 4 screen at exactly double the original iPhone screen resolution, original iPad screen, and new iPad screen at exactly double the original iPad screen resolution).
And to support the iPad, I installed iTunes. Turns out, iTunes is BORKED at anything other than Window's default 100% scaling. Basically unusable, since many of the text labels in settings forms etc get chopped off at the end, so you can't even see what the text box you're clicking on is supposed to do. It is by far the worst program I have actually seen for handling non-default DPI settings in Windows.
So now I am back to 100% DPI scaling in Windows 7, and yes, the text is now on the small side of comfortable. I suppose I could just run at 125% most of the time and just change the scaling when I need to use iTunes...
Apple has been pushing really top-notch screens in their iOS devices, but it's mostly because Apple software is the WORST at handling resolution-independent graphics.
I didn't get the impression from the summary that DocumentCloud was any harder to indemnify due to its FOSS nature. Rather, they seemed to be lauding the fact that any entity willing to bear the legal risk (created by Murdoch) could set up a new instance easily.
I agree with you that Fairfax's behaviour is a concern. If they're going to publish stories based on these documents, they should be prepared to host them, and just delegate their risk to a third party with no recompense.
Maybe terrorists like to relax with their buddies with a game every now and then? They're people too, and I wouldn't be surprised if some aren't all that security conscious. Contact networks of such people would be useful, but I would have thought the DoD could get such data from MS/Sony with a warrant/subpoena. Hard to know what could be useful on the console itself.
As a matter of fact, I do know how severe the problem is - I work in this industry. Hence my comment about how PLCs should never be connected to the public internet. (It is a terrifying fact that internet scans have shown that, in fact, many PLCs *are* connected to the Internet. SCADA interface servers, too. My only hope is that those PLCs aren't controlling anything very sensitive. If I close my eyes and think happy thoughts, I can convince myself that they might just be telemetry data collectors with no field control capability...).
Anyway, I am personally disgusted by the attitudes of the PLC manufacturers to the security situation. Many of them seem to regard this as just an opportunity to sell upgrades to new hardware - which isn't even going to be on the market for months!
Let's look at what's actually changed as a result of adding these modules to Metasploit: 1) The PLCs are just as shitfully insecure as they were before 2) Exploitation of that crap security no longer requires the specialized knowledge and skillsets that it previously might have. It is now officially low-hanging fruit that any idiot can pluck. Script kiddies - and even most computer professionals - don't even know what ladder logic is. Now, they can erase the logic in a PLC - and still not even know what it is!
Maybe, _maybe_, a few highly publicised "incidents" enabled by point 2 will cause the manufacturers to make some progress on point 1. If that's the only way to improve the state of industrial communications security, I would call that an even more bleak and cynical "silver lining" than my original sarcastic comment.
In any case, you don't need Metasploit modules to know if a PLC with IP communications is insecure. Here is a simple process for detecting insecure IP PLCs on any network, based on Project Basecamp's presentation: 1) Is it a PLC, using hardware & firmware that is currently available on the market, with an IP based network interface? 2) Then it's insecure. None of the vendors passed their tests.
Air-gapping the network, or at least ensuring that there are strong chokepoints isolating the control network from anything else, helps quite a bit. That won't stop the most motivated actors (Stuxnet proves that) but at least it will keep the script kiddies and automated exploiters out.
To be perfectly clear, I think Project Basecamp is doing the world a huge service in identifying the security problems with PLCs. I think that creating Metasploit modules is going one step further than what's helpful, though. The world needs to know about exploitable holes in SCADA & control security, but it doesn't need easy ways to exploit them. Why do a vandal's work for them?
Oh good. What the world really needs is for script kiddies to be able to knock industrial equipment offline without even learning anything about the equipment they're attacking.
Well, maybe some incompetent fools who put PLCs on a publically-accessible network will learn a valuable lesson. I guess every cloud has a silver lining.
Most of your points are reasonably valid. The one about CSIRO is pretty much crap, though.
CSIRO is not an "obscure company"; it's Australia's premier government-funded research agency. While Australia is a lot smaller than the US, the quality of work done by CSIRO is definitely up there with America's premier Federal research institutions. Of course CSIRO didn't do much of the commercialisation of Wi-Fi tech - but that's because they're an R&D institution, not a company who sells product to end-users. Would you expect DARPA to start selling DARPA-branded internet routers to the general public just because DARPA was involved in the initial development of the internet? The tech that they developed, which the Wi-Fi standards bodies *chose to incorporate in the standard*, actually derived from Australian radio-astronomy research. And CSIRO didn't sit around waiting for the tech to become popular and then show up with a submarine patent at the last minute - they've actually been involved in negotiations and court cases over this very thing for a decade now.
Just because something useful and innovative comes out of Australian research rather than Silicon Valley doesn't mean that US companies have a god-given right to take all the profit for themselves. I'm sure that when the American government funds research, you wouldn't expect UK or Chinese companies to have the right to exploit that research in their own products for free....
The Android Market (now called Google Play) does let you re-download apps, yes. Basically, Google Play associates Android apps (and ebooks etc) with your Google account in the same way that the Steam store associates games with your Steam account.
Just like Steam, Google Play only lets you re-download apps that you bought from them originally. (Yes, I know about Steam activations of retail software... I'm ignoring that for simplicity right now). If you sideload apps onto your phone, either by directly loading an apk or by using a third-party market app such as the Humble Indie Bundle downloader or the Amazon app store, you won't be able to download *those* apps from Google Play.
Valve now does have a Steam app for Android, but they haven't entered the Android game-selling marketplace yet. I wouldn't be surprised if they do, though - it would be an obvious extension of their very successful Windows & Mac brand, and extending the Steam Play "buy one platform, get them all" deal to include Android versions of cross-platform games would be pretty sweet. But we're not going to see Steam selling iOS games any time soon, due to Apple's demanding a cut of all bits-for-bucks transactions that make use of "their" devices.
I don't know why the market is dominated by bitmapped icons, though. I have an Android phone and an iPad, and for 99% of the icons, there's just no good reason why they need to be bitmap graphics. They're usually relatively simple geometrical arrangements in a very restricted colour palette (often greyscale). I see no reason why those assets couldn't have been created and displayed using a vector format.
Yet... I know you're correct. I've seen commentary on the new iPad display talking about how some developers might find it harder or easier to support based on "how they created their assets". Well, if they'd used SVG and just exported to a raster format at the end, they wouldn't have a problem, would they?
I'd be interested in commentary from Android and/or iOS developers on whether those OSs actually have good support for storing and rendering icons & graphics in native vector formats like SVG. As the article says, Windows handles it pretty well.
In Australia, pre-paid Visa and Mastercards are available at post offices, supermarkets, and even petrol stations. So, basically, they're gift vouchers for every online store that takes Visa or Mastercard (which is all of them).
Do you have any knowledge of which iOS implementations are better? I just got my first iOS device and I'm wondering which version of KeePass to install. It would be very bad news to pick one that isn't trustworthy.
Slashdot Mirror
Bullshit. The writer of the app is bringing the user to Dropbox. Apple's relationship to the sale is tangential at best.
Would Microsoft be entitled to a cut if the Windows version of Adobe Photoshop shipped with a Dropbox plugin? Hell no.
Apple are just trying to get a cut of sales that they have no moral right to whatsoever, no matter what their developer "agreements" say.
Yeah. Not all the publishers do it, though. Valve is an "enabler" for the other publishers to screw Aussies, but they don't actually seem to do it themselves as far as I can tell - Portal 2 was only $50 AUD at launch, which wasn't unreasonable.
I choose not to buy any games that are use predatory pricing on Australians. I'm just not ever going to spend $90 on a game and refuse to support publishers who engage in that sort of behaviour.
So what you're saying is that the States of America should... Unionize?
What a strange concept.
Excellent. I'm sick of the exploitation of software pricing in Australia. Price ratios haven't shifted at all since the 90s when the AUD was worth 0.6 USD. Now 1 AUD > 1 USD.
I'm fairly sure some of the "Mac compatible" games use WINE, so I don't see why not.
FYI, I've heard that Steam's DRM layer is optional and is applied at the publisher's discretion (not Valve's). Games that don't have the DRM turned on can be launched by just running the executable; the Steam client doesn't need to be running. These games are quite rare but I believe some examples do exist. (Defcon, perhaps? Try Google for examples). Although you can still only download the the game using the client, insofar as Valve offers no direct download servers.
You might also try Desura or GOG. Neither of those use DRM. However, all three are for "merchantable" quality games, not tech demos or alphas. Steam does offer mods for Valve games but that's about its limit for amateur efforts.
The malware still has to install on the user's OS, which requires browser/plugin exploits on the user's PC for user-privilege level access and possibly a local escalation bug if the malware wants admin rights without user "approval". So I think it's fair to cast _some_ aspersion at Apple here, even if WordPress is providing the server end of the malware deployment ecosystem.
But getting back to your point about WordPress. It seems to me that WordPress has been the server-side vector for far too many malware deployment efforts. I've certainly heard its name associated with a lot of previous malware storms. What are some more secure alternatives to WordPress?
I doubt any of the sponsors of this effort have problems distinguishing themselves as a potential mating partner.
Given that the Red Cross has traditionally had an internationally-recognized and (usually) protected role in theatres of conflict (along with its Islamic counterpart, the Red Crescent) I can understand why that organization's markings are deserving of protection above and beyond that of mere trademarks.
But screw the Olympics. They can just use trademarks like any other part of the entertainment, media & advertising industrial complex.
Seems like a sample return mission is the only way to be sure.
Well, apart from nuking the site from orbit so thoroughly that we can conclude there is *no longer* life on Mars...
Ironic that you say Apple will solve the resolution deadlock.
My personal computer is a laptop with a 15.6" 1080p display. It's beautifully sharp. I've been running Windows 7 at 125% DPI scaling for over a year on it, and hadn't yet encountered a program that had any significant issues with the higher DPI settings.
And then I bought a 2012 iPad, which has an amazing high DPI screen. But the reason why it's so incredibly high DPI is because iOS has the worst resolution independence in the computing industry. It is basically completely incapable of scaling elegantly, which is why there are basically only 4 display sizes in the iOS device lineup (original iPhone screen, iPhone 4 screen at exactly double the original iPhone screen resolution, original iPad screen, and new iPad screen at exactly double the original iPad screen resolution).
And to support the iPad, I installed iTunes. Turns out, iTunes is BORKED at anything other than Window's default 100% scaling. Basically unusable, since many of the text labels in settings forms etc get chopped off at the end, so you can't even see what the text box you're clicking on is supposed to do. It is by far the worst program I have actually seen for handling non-default DPI settings in Windows.
So now I am back to 100% DPI scaling in Windows 7, and yes, the text is now on the small side of comfortable. I suppose I could just run at 125% most of the time and just change the scaling when I need to use iTunes...
Apple has been pushing really top-notch screens in their iOS devices, but it's mostly because Apple software is the WORST at handling resolution-independent graphics.
I did miss that! Thanks for the correction.
I didn't get the impression from the summary that DocumentCloud was any harder to indemnify due to its FOSS nature. Rather, they seemed to be lauding the fact that any entity willing to bear the legal risk (created by Murdoch) could set up a new instance easily.
I agree with you that Fairfax's behaviour is a concern. If they're going to publish stories based on these documents, they should be prepared to host them, and just delegate their risk to a third party with no recompense.
Maybe terrorists like to relax with their buddies with a game every now and then? They're people too, and I wouldn't be surprised if some aren't all that security conscious. Contact networks of such people would be useful, but I would have thought the DoD could get such data from MS/Sony with a warrant/subpoena. Hard to know what could be useful on the console itself.
As a matter of fact, I do know how severe the problem is - I work in this industry. Hence my comment about how PLCs should never be connected to the public internet. (It is a terrifying fact that internet scans have shown that, in fact, many PLCs *are* connected to the Internet. SCADA interface servers, too. My only hope is that those PLCs aren't controlling anything very sensitive. If I close my eyes and think happy thoughts, I can convince myself that they might just be telemetry data collectors with no field control capability...).
Anyway, I am personally disgusted by the attitudes of the PLC manufacturers to the security situation. Many of them seem to regard this as just an opportunity to sell upgrades to new hardware - which isn't even going to be on the market for months!
Let's look at what's actually changed as a result of adding these modules to Metasploit:
1) The PLCs are just as shitfully insecure as they were before
2) Exploitation of that crap security no longer requires the specialized knowledge and skillsets that it previously might have. It is now officially low-hanging fruit that any idiot can pluck. Script kiddies - and even most computer professionals - don't even know what ladder logic is. Now, they can erase the logic in a PLC - and still not even know what it is!
Maybe, _maybe_, a few highly publicised "incidents" enabled by point 2 will cause the manufacturers to make some progress on point 1. If that's the only way to improve the state of industrial communications security, I would call that an even more bleak and cynical "silver lining" than my original sarcastic comment.
In any case, you don't need Metasploit modules to know if a PLC with IP communications is insecure. Here is a simple process for detecting insecure IP PLCs on any network, based on Project Basecamp's presentation:
1) Is it a PLC, using hardware & firmware that is currently available on the market, with an IP based network interface?
2) Then it's insecure.
None of the vendors passed their tests.
Air-gapping the network, or at least ensuring that there are strong chokepoints isolating the control network from anything else, helps quite a bit. That won't stop the most motivated actors (Stuxnet proves that) but at least it will keep the script kiddies and automated exploiters out.
To be perfectly clear, I think Project Basecamp is doing the world a huge service in identifying the security problems with PLCs. I think that creating Metasploit modules is going one step further than what's helpful, though. The world needs to know about exploitable holes in SCADA & control security, but it doesn't need easy ways to exploit them. Why do a vandal's work for them?
Oh good. What the world really needs is for script kiddies to be able to knock industrial equipment offline without even learning anything about the equipment they're attacking.
Well, maybe some incompetent fools who put PLCs on a publically-accessible network will learn a valuable lesson. I guess every cloud has a silver lining.
Luckily, it never bloody rains in Western Australia these days.
Looks like the tech would be useless on the eastern coast though... :)
Most of your points are reasonably valid. The one about CSIRO is pretty much crap, though.
CSIRO is not an "obscure company"; it's Australia's premier government-funded research agency. While Australia is a lot smaller than the US, the quality of work done by CSIRO is definitely up there with America's premier Federal research institutions. Of course CSIRO didn't do much of the commercialisation of Wi-Fi tech - but that's because they're an R&D institution, not a company who sells product to end-users. Would you expect DARPA to start selling DARPA-branded internet routers to the general public just because DARPA was involved in the initial development of the internet? The tech that they developed, which the Wi-Fi standards bodies *chose to incorporate in the standard*, actually derived from Australian radio-astronomy research. And CSIRO didn't sit around waiting for the tech to become popular and then show up with a submarine patent at the last minute - they've actually been involved in negotiations and court cases over this very thing for a decade now.
Just because something useful and innovative comes out of Australian research rather than Silicon Valley doesn't mean that US companies have a god-given right to take all the profit for themselves. I'm sure that when the American government funds research, you wouldn't expect UK or Chinese companies to have the right to exploit that research in their own products for free....
The Android Market (now called Google Play) does let you re-download apps, yes. Basically, Google Play associates Android apps (and ebooks etc) with your Google account in the same way that the Steam store associates games with your Steam account.
Just like Steam, Google Play only lets you re-download apps that you bought from them originally. (Yes, I know about Steam activations of retail software... I'm ignoring that for simplicity right now). If you sideload apps onto your phone, either by directly loading an apk or by using a third-party market app such as the Humble Indie Bundle downloader or the Amazon app store, you won't be able to download *those* apps from Google Play.
Valve now does have a Steam app for Android, but they haven't entered the Android game-selling marketplace yet. I wouldn't be surprised if they do, though - it would be an obvious extension of their very successful Windows & Mac brand, and extending the Steam Play "buy one platform, get them all" deal to include Android versions of cross-platform games would be pretty sweet. But we're not going to see Steam selling iOS games any time soon, due to Apple's demanding a cut of all bits-for-bucks transactions that make use of "their" devices.
I don't know why the market is dominated by bitmapped icons, though. I have an Android phone and an iPad, and for 99% of the icons, there's just no good reason why they need to be bitmap graphics. They're usually relatively simple geometrical arrangements in a very restricted colour palette (often greyscale). I see no reason why those assets couldn't have been created and displayed using a vector format.
Yet... I know you're correct. I've seen commentary on the new iPad display talking about how some developers might find it harder or easier to support based on "how they created their assets". Well, if they'd used SVG and just exported to a raster format at the end, they wouldn't have a problem, would they?
I'd be interested in commentary from Android and/or iOS developers on whether those OSs actually have good support for storing and rendering icons & graphics in native vector formats like SVG. As the article says, Windows handles it pretty well.
This deserves some Interesting or Informative mods IMO.
A trailer/demo would be interesting. I'll check out the page.
In Australia, pre-paid Visa and Mastercards are available at post offices, supermarkets, and even petrol stations. So, basically, they're gift vouchers for every online store that takes Visa or Mastercard (which is all of them).
Are there no similar options where you are?
Thanks for the advice. I'll look into it.
Do you have any knowledge of which iOS implementations are better? I just got my first iOS device and I'm wondering which version of KeePass to install. It would be very bad news to pick one that isn't trustworthy.
Isn't the point of a beta to get feedback on what's wrong? If you wait till launch, it's probably too late.